Channels

Services

Flame alleged to have infected systems via Windows Update

The fake Windows update was signed with what looked like a valid Microsoft certificate
Source: Costin Raiu

In the course of ongoing investigations into spyware-trojan Flame, virus expert Costin Raiu from Kaspersky has made a discovery which is as exciting as it is disquieting: Flame appears to have been able to use Windows Update to infect other computers on the same network.

According to Raiu, a Flame module called Gadget possesses man-in-the-middle functionality which enabled it pass crafted update packages to other computers on the same network. One specific package was called WuSetupV.exe and was signed with a certificate issued by the "Microsoft Enforced Licensing Registration Authority CA", a sub-CA of Microsoft's root authority. A further tweet from the virus expert implies that Flame distributed updates within networks via a virtual server called MSHOME-F3BE293C.

Microsoft has already confirmed that Flame developers were able to issue valid Microsoft certificates. It is not, however, clear whether Windows actually accepted the Flame update without complaint. The fake update packages are unlikely to have spread here in the UK as, according to Raiu, the Gadget MITM module only becomes active when the time zone is set to UTC+2 or more (east of our time zone).

Kaspersky has also released further details of the botnet infrastructure behind Flame. The Flame developers reportedly used at least fifteen command and control servers, each of which was responsible for more than 50 victims. According to the report, the lights went out on the botnet just hours after details of Flame were first published.

Flame's operators used a number of fake identities to register their domains. According to Kaspersky, server locations included Germany, the Netherlands, the UK, Switzerland, Hong Kong and Turkey. Most victims were running 32-bit editions of Windows 7, with a sizeable 45 per cent running XP. Flame does not work on the 64-bit edition of Windows 7.

Kaspersky reports that it was able to divert many of the domains to a sinkhole, so that infected systems were then forwarding their data to Kaspersky. The data collected consisted primarily of PDF and Office documents, as well as AutoCAD files (technical drawings).